Russian cyberattackers spotted hitting Microsoft Teams with new phishing campaign

News
By published

Storm-2372 uses some shifty techniques

Phishing
(Image credit: Vektor Illustration/Shutterstock)
  • Microsoft has spotted a new phishing attack vector in the wild
  • Storm-2372 is stealing access tokens through Microsoft Teams
  • The group has been linked to Russia with medium confidence

A new phishing campaign has been spotted using ‘device code phishing’ through Microsoft Teams to target governments, NGOs, and other industries across Europe, North America, Africa, and the Middle East.

The attack, spotted by Microsoft itself, leverages Teams video conferencing meeting invitations which prompt the victim to enter a device code generated by the attacker which results in the victim handing over valid access tokens, giving the attacker access to victims emails and sensitive data.

Microsoft assesses with a medium level of confidence that the group, tracked as Storm-2372, is acting in line with Russian tactics and interests.

Data theft and lateral movement

Microsoft says the threat actor would first build up a rapport with the victim through messaging services such as WhatsApp, Signal, and Microsoft Teams, positioning themselves as an important figure within the victim’s industry. The attacker then invites the victim to an online meeting, where the victim is prompted to complete a device code authentication request.

Storm-2372 messages to establish rapport

(Image credit: Microsoft)

The actor will generate a legitimate device code authentication request, and then send the code to the victim. The victim enters the code into the legitimate authentication service page which allows the attacker to capture access and refresh tokens to maintain control over the account.

From there, the attacker will often attempt to move laterally using the valid access tokens, using a keyword search in the messaging service to harvest sensitive data including usernames and passwords, as well as data related to the admin, teamviewer, anydesk, credentials, secret, ministry, and gov keywords.

Storm-2372 attack flow

(Image credit: Microsoft)

The attacker can also use the compromised account to message or email colleagues with additional phishing messages. Storm-2372 has also been observed using the specific client ID for Microsoft Authentication Broker to request additional tokens that allows the attacker to register their own devices as an authentication device through Entra ID.

In order to protect against the specific attack vector used by Storm-2372, Microsoft recommends:

  • Disabling device code flow wherever possible.
  • Provide phishing training to all users.
  • Revoke access tokens when Storm-2372 activity is suspected using revokeSignInSessions.
  • Introduce a sign-in risk-based policy to to block access or force multi-factor authentication for high-risk sign ins.

The full list of defenses and mitigation can be found here.

You might also like

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Russian criminal gang Star Blizzard found hitting WhatsApp accounts
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
Microsoft Teams
Microsoft Teams is finally introducing a spam and phishing alert - here’s what you need to know
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
More about security
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Compal Infinite Laptop

This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
See more latest
Most Popular
Compal Infinite Laptop
This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
Silicon Motion MonTian 128TB SSD
More 128TB SSDs on the way, but they won't be cheaper: Key maker of NAND flash controllers says 128TB SSDs are shipping
Toshiba HDD Innovation Lab
How to make hard drives faster? Simple, just bunch dozens of them together, Toshiba says
Asus Ascent GX10
Asus debuts its own mini AI supercomputer: Ascent GX10 costs $2999 and comes with Nvidia's GB10 Grace Blackwell Superchip
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Micron SOCAMM memory module
World's biggest RAM vendors develop superior memory form factor exclusively for Nvidia, sorry Intel and AMD